------SNIP--------------------
Ed,
Could he mean adding the library to apf list?
Ed
Ed Jaffe snipped too much. Take a look at more of Gil's post:
On the other hand, anyone who worked at the same shop for a long time
knows
how to "trick" its systems. How to run jobs with any jobclass (and
maybe
form some kind of a denial of service attack?), how passwords are
managed,
who are the powerful users, what resources are not properly
protected, how
to falsify identities under CICS/IMS, how to run batch jobs under
other
users, how to become APF-authorized, how to utilize error in 3rd party
products, and the list goes on
Once you know which power users (sysprog or RACF SPECIAL) don't
log off when they leave their desks, it doesn't take long to get the
access you need to APF datasets. If you know of flaws that let you
submit jobs to run under a power user's userid, again you can do just
about anything.
Hmmm.. I never needed that authority and I was a lead. Besides we had
TPX and if I left my desk after 5 minutes anyone needed my password to
get to my ID. I was usually in the computer room then and just stole my
session to there (another great feature of TPX). The AUDITOR was one of
the two people that had a special ID. The other was in a locked cabinet
for emergencies. All hell broke loose if anyone used it. The auditor
and I were good friends and I even had him locked out of my datasets,
this was TSO only of course. Even so, I ran ACF2 reports daily to see
who tried to access my datasets. People knew it and would stay away.
I was going to mention some more of my favorite methods I know of
for getting passwords or getting jobs run under others' userids. I
decided it was not a good idea to publicize them. The above are quite
general. (Not that I made use of those methods; it was enough for me
to know they worked, and to try to plug the holes.)
Basically, as others have said:
1. Security is a process; and
2. usually, the biggest security hole is people.
Agreed but again it maybe installation dependent. Some installations,
IMO, are loosey goosey and others are by the rules
Ed
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
